Skip to content

Fix cert validation become for remote_src certificates #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Oddly merged 2 commits into from
Mar 12, 2026
Merged

Fix cert validation become for remote_src certificates #100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
072179f
Fix cert validation become for remote_src certificates
Oddly Mar 12, 2026
c560dd6
Fix kibana_extra_config template for string values
Oddly Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions roles/elasticstack/tasks/certs/cert_validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
path: "{{ _validate_cert_path }}"
register: _elasticstack_validate_cert_stat
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"

- name: certs | cert_validate | Fail if certificate file missing — {{ _validate_service }}
ansible.builtin.fail:
Expand All @@ -36,7 +36,7 @@
failed_when: false
changed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"

- name: certs | cert_validate | Probe for P12 format — {{ _validate_service }}
ansible.builtin.command:
Expand All @@ -47,7 +47,7 @@
failed_when: false
changed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"
no_log: true
when: _elasticstack_validate_pem_probe.rc != 0

Expand Down Expand Up @@ -80,7 +80,7 @@
path: "{{ _elasticstack_validate_derived_key }}"
register: _elasticstack_validate_derived_key_stat
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"

- name: certs | cert_validate | Fail if derived key not found — {{ _validate_service }}
ansible.builtin.fail:
Expand Down Expand Up @@ -116,7 +116,7 @@
register: _elasticstack_validate_pem_count
changed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"

- name: certs | cert_validate | Set CA extracted fact — {{ _validate_service }}
ansible.builtin.set_fact:
Expand All @@ -136,7 +136,7 @@
failed_when: false
changed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"
when: _elasticstack_validate_pem_probe.rc == 0

- name: certs | cert_validate | Fail if certificate already expired — {{ _validate_service }}
Expand All @@ -162,7 +162,7 @@
register: _elasticstack_validate_cert_modulus
changed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"

- name: certs | cert_validate | Get key modulus — {{ _validate_service }}
ansible.builtin.shell:
Expand All @@ -176,7 +176,7 @@
changed_when: false
failed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"
no_log: true

# If RSA modulus failed, try EC key
Expand All @@ -192,7 +192,7 @@
changed_when: false
failed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"
no_log: true
when: _elasticstack_validate_key_modulus.rc != 0

Expand All @@ -203,7 +203,7 @@
register: _elasticstack_validate_ec_cert_fp
changed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"
when: _elasticstack_validate_key_modulus.rc != 0

- name: certs | cert_validate | Fail if RSA key does not match certificate — {{ _validate_service }}
Expand Down Expand Up @@ -240,7 +240,7 @@
register: _elasticstack_validate_san_output
changed_when: false
delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
become: false
become: "{{ _validate_remote_src | bool }}"

- name: certs | cert_validate | Warn if SAN does not include this node — {{ _validate_service }}
ansible.builtin.debug:
Expand Down
4 changes: 4 additions & 0 deletions roles/kibana/templates/kibana.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,5 +43,9 @@ server.ssl.keystore.path: "/etc/kibana/certs/{{ inventory_hostname }}-kibana.p12
{% endif %}

{% if kibana_extra_config is defined and kibana_extra_config %}
{% if kibana_extra_config is mapping %}
{{ kibana_extra_config | to_nice_yaml(indent=2, sort_keys=False) }}
{% else %}
{{ kibana_extra_config }}
{% endif %}
{% endif %}
Loading